We’re pleased to announce ArcadeDB 26.7.2, a stability and correctness release that resolves over 130 issues. Where 26.7.1 focused on Raft resilience, OpenTelemetry tracing, and standards alignment, 26.7.2 turns the spotlight on the deep internals: a full engine audit across storage, WAL recovery, transactions, LSM indexes, and concurrency. On top of that it completes Neo4j Bolt driver certification, hardens High Availability further, and ships five critical security fixes.
Major Highlights
Deep Engine Audit
The heart of this release is a systematic audit of the storage and execution engine. These are the guarantees you rely on every commit, tightened across the board:
- Storage & recovery: WAL append is now the transaction’s point of no return, with pre-write validation. Torn 64KB page writes are repaired during recovery, and the page cache prevents both lost updates and unbounded growth.
- LSM index stability: Compaction no longer loses re-inserted keys or leaks orphaned pages, range scans are no longer truncated by tombstoned entries, and non-unique lookups no longer resurrect deleted records.
- Transaction safety: Double-indexed updates within a single transaction no longer corrupt indexes, dead-thread cleanup rolls back abandoned transactions properly, and virtual-thread compatibility is restored.
- Parallel query safety: A dedicated thread pool for bucket scans prevents deadlocks, each worker gets an isolated command context, and native iterators bound producer offers and close cleanly.
These are the fixes you feel under load and during the unhappy path, not in a benchmark.
Neo4j Bolt Driver Certification
ArcadeDB now achieves full compatibility certification with the Neo4j Bolt driver:
- Native temporal PackStream structures:
date,time,datetime, andlocaldatetime. - Native Path, Duration, and Point types.
- Retryable conflict mapping so the driver’s auto-retry works out of the box.
- HA-aware ROUTE responses and Bolt 5.x negotiation support.
- Populated write-result counters.
Security Hardening: 5 Critical Fixes
This release patches five critical vulnerabilities. Upgrading is strongly recommended for internet-facing and multi-tenant deployments:
- RCE via JavaScript triggers:
java.lang.*classes are removed from trigger allow-lists, restricting to benign packages only. - Arbitrary JavaScript execution: defining
jsfunctions now requiresUPDATE_SECURITYwith restricted polyglot access. - Secret disclosure via API: server settings now redact all hidden configuration keys, including cluster tokens.
- Cross-database IDOR: authorization checks added to 14 HTTP handlers to prevent unauthorized database access.
- Read-only mutation of schema: missing
UPDATE_SCHEMAguards added to schema and config mutators.
High Availability (Raft) Enhancements
- Durable Raft storage now defaults to
true, preventing follower divergence. - The leader auto-recovers wedged replication channels.
- A new
TransactionCommittedRemotelyException(HTTP 409) prevents duplicate retries. - Offline bootstrap leadership-transfer now commits a baseline.
Major Fixes
Query Engine: OpenCypher
- Dynamic property mutations (
SET n[key] = value) are now applied. - Inline relationship filters are enforced in
MATCH,exists(), comprehensions, and shortest-path queries. FOREACHupdates are visible to subsequentRETURNclauses.- Pattern comprehension and correlated subquery corrections.
- Temporal normalization is applied in index scans.
Query Engine: SQL
FROMis now usable as a property name in DDL and queries.ORDER BYon non-indexed properties returns correct results.TRAVERSEwithMAXDEPTHcorrected;BREADTH_FIRSTnow performs true breadth-first traversal.- Map indexing and array serialization fixes.
Additional Features
- User-defined functions are now persisted and distributed across HA clusters.
- Configurable vector quantization for sparse vector indexes.
- Commutative append-merge removes retry storms on high-degree vertices.
- Extended Cypher write-counter surfacing over HTTP and gRPC.
- Point datatype and spatial index support.
- Python binding performance improvements.
Dependencies
Notable upgrades include Netty 4.2.16, Jackson 2.22.1, PostgreSQL JDBC 42.7.13, GraalVM 25.1.3, and Neo4j Java driver 6.2.0, plus the usual round of updates.
Breaking Changes
Two behavioral changes to note when upgrading:
- Raft storage durability:
arcadedb.ha.raftPersistStoragenow defaults totrue. Ensure the storage directory resides on durable media. Test clusters can opt out explicitly. - Bolt temporal types: temporal values are now transmitted as native PackStream structures instead of ISO-8601 strings. Clients must read native types (e.g.,
asZonedDateTime()) rather than strings.
Getting Started with 26.7.2
Docker
docker pull arcadedata/arcadedb:26.7.2
Visit our Docker Hub repository for more information.
Maven
<dependency>
<groupId>com.arcadedb</groupId>
<artifactId>arcadedb-engine</artifactId>
<version>26.7.2</version>
</dependency>
All artifacts are available on Maven Central.
Documentation
For detailed information on features and usage, refer to our comprehensive documentation.
Compatibility Note
This release maintains 100% compatibility with previous database formats, meaning no export/import is required when upgrading. As always, we recommend creating a database backup before upgrading.
Download ArcadeDB 26.7.2 now: GitHub Releases
Thanks to everyone in the community who reported issues, opened PRs, and helped shape this release.
Luca Garulli ArcadeDB Founder